On Tuesday 6 October, 2015 the Court of Justice of the European Union ("ECJ") ruled, in the case of Schrems v Data Protection Commissioner, that the 'Safe Harbour' arrangements between the United States and the European Commission are invalid. These arrangements, agreed between the United States and the European Commission, allowed companies based in the U.S. to store personal data about European citizens on U.S. based computer servers without breaching E.U. data protection law (in Ireland; the Data Protection Acts 1988 and 2003). Companies agree to adhere to the Safe Harbour principles, enforced by the U.S. Federal Trade Commission, and as a result are deemed to provide sufficient protection for the personal data. This has allowed Irish subsidiaries of U.S. companies, or even Irish companies which use service providers based in the U.S., transfer personal data to the U.S. without breaching data protection laws.
Facts of the case
This case is the culmination of an action brought against Facebook in the Irish High Court by an Austrian student, Max Schrems. Mr Schrems argued that personal data processed by Facebook is unprotected because it is transferred to the United States, where it is not treated in accordance with EU data protection laws.
Mr Schrems made a complaint to the Irish Data Protection Commissioner (the "DPC") in relation to the processing and transfer of data by Facebook to the U.S. The DPC declined to investigate the matter arguing that the issue was covered under the 'Safe Harbour' convention. Mr Schrems challenged the decision of the DPC in the Irish High Court and the High Court in turn referred the matter to the ECJ on a point of European Law.
Decision of the ECJ
The ECJ ruled as invalid the 'Safe Harbour' arrangements which allowed for the transfer of personal data to the U.S. The ECJ found that the European Commission had neither the legal means to police the Safe Harbour agreement nor the power to prevent U.S. intelligence from collating EU citizens' data. Rather than wait for a successor agreement, the ECJ dismissed the existing arrangement as a breach of EU data rules and the fundamental rights of EU citizens. The ECJ also found that the DPC was not precluded from investigating the original compliant.